Friday, 23 January 2015

FCA Enforcement: Going Global

With the advent of 2015, some people have talked about New Year's resolutions but frankly I still had one enforcement case from the Financial Conduct Authority (FCA) from 2014 I was keen to review.  

The case concerns a general insurer, Stonebridge, selling a range of accidental protection products offering cash compensation.  The FCA imposed a fine of £8.4 million as a result of the breaches identified.  (Click here to read the full details of the case.)

The business involved outsourcing sales process to a number of third party companies.  The products were sold in the UK and in a number of European countries (France, Germany, Italy and Spain) over the phone on a non-advised basis.  Names of potential clients were obtained from a range of business partners which were remunerated when sales were made.  These business partners were not involved in selling the products. 

The case results from the breaches of FCA principles concerning the fair treatment of customers (Principle 3) and appropriate systems and controls, including appropriate risk management (Principle 6).  The case provides a number of interesting lessons about the interaction of risk management and regulation.

1.  Fines may become a small component of the cost to firms of regulatory enforcement

In this case and in addition to the fine, the company committed to undertake a range of voluntary measures.  This includes a review of past business sold in the UK and European countries and compensation where losses arise as a result of the failings identified in this case.  

In addition to that, the company has replaced its executive management team, has ceased distribution of all products in the UK and European countries and has undertaken a comprehensive review of its governance structure, including new terms of reference and risk management framework.

2.  The FCA is applying UK requirements to non-UK operations

This is intentionally blunt!  In more subtle phraseology, the enforcement notice makes a distinction between the failure “to pay due regard to the interests of customers in the UK and treat them fairly” (my emphasis) and the failure to implement adequate systems and control which applies to the entire business, including European business.  The FCA identified significant failures which included inadequate management information, executive and board oversight and compliance oversight.   

3.  The importance of proactively managing the process

I have already written on the importance of proactively managing the enforcement process and contrasted two different responses to technical breaches (here and here).   This case provides an alternative perspective.  

The starting point seems to be an FCA review of a sample of sales calls during March and April 2012, an action presumably arising from the FCA’s ongoing supervision of Stonebridge.  The enforcement case ends up covering sales all around Europe, post-sale cancellation and the company’s systems and controls. 

When confronted with the initial findings from a regulator, there may be a temptation to challenge the findings.  This would be appropriate up to a point.  

An alternative approach would be to accept the substance of the findings and consider how the underlying events could have happened from a risk governance perspective.  This would require reviewing governance arrangements through the company, the risk management framework and the effectiveness of the oversight provided by the second line of defence.  Hindsight is always a powerful tool but it seems that this course of action could have been more effective in limiting the potential consequences.

Finally, this case also illustrates other failures such as controls of outsourcing and a skewed sales incentive mechanism.

You can subscribe to future posts here.

This post has been added to the page FCA enforcement in this blog which links all the enforcement cases I have reviewed.

Monday, 12 January 2015

Hunting Elephants: The Ultimate Frontier for Enterprise Risk Management (ERM)?

One of the aspects of implementing ERM is putting in place an approach to consider its effectiveness.  A combination of approaches are typically suggested for this purpose including a consideration of the approaches adopted and evidence of the risk culture.  

An alternative would be to establish whether the implementation of ERM supports the appropriate conversations about risks are taking place in the business.  The elephant the proverbial unspoken element of a discussion – about risks in this case. 

An interesting paper from a working group of the UK Institute of Actuaries entitled ‘Risk: Elephants in the Room’ looks into the causes that may explain why conversations about risks have not been happening effectively in insurers.  (Click here for the paper.) 

The paper identifies two main reasons why these conversations may not be taking place:

1.     There is limited understanding of the underlying issues. 

This could result from limited knowledge depth on the relevant subject.  I suppose this is the typical regulatory concern about insurers investing in new types of assets or venturing into non-core areas.

The paper offers a good list of examples of typical elephants (pages 7 to 9) which could help senior management self-check whether something has been missed.  It also outlines two approaches to identify elephants – based on risk lineage and scenarios – which seem a useful starting point.

2.     ‘Soft’ factors prevent risk discussions from happening or limit their effectiveness, even where risk elephants are known.

The paper identifies a number of such ‘soft’ factors: 
  • risk culture prevents free and open discussion about risks; 
  • complexity of the underlying issues can alienate audience;
  • regulatory perspective sometimes associated with risk tunes out executives;
  • over-reliance on quantification; after a risk is quantified the level of oversight diminishes, which is particularly risky for low-frequency and high-severity risks;
  • risk universe bias; an elephant can be a risk that does not fit into one of the existing risk categories.
Two practical implications from this paper strike me:

1.     A risk function should have appropriate resources to identify relevant elephants.

This would require a combination of internal and external resources.  For example, if an insurer chooses to invest in alternative assets, it should develop appropriate expertise in the area.  However, the risk function may need external support to ensure that elephants in other areas are also identified.

2.     Consider the ‘soft’ factors that may hamper the effectiveness of risk discussions, and risk management more generally.

This consideration of soft factors should be part of an ERM implementation.  However, it should also be a consideration of any assessment of the operational effectiveness of the risk function.

What do you think?  Do you have any thoughts on these suggestions about risk elephants and their identification? 

You can subscribe to future posts here.